October 4, 2018

Cybersecurity Attacks vs. Physical Disasters

Natural disasters caused by extreme weather conditions, particularly hurricanes and typhoons, are becoming more devastating than ever. But while the World Economic Forum has tagged extreme weather events and natural disasters respectively as the top two global risks most likely to occur, a purely man-made risk isn’t far behind. Number three on that list is cybersecurity attacks.

But just how destructive are cybersecurity attacks compared to the other two? Let’s find out. In this post, we compare virtual disasters (i.e. data breaches and other cyber incidents) with physical disasters (caused by extreme weather events and natural disasters) in terms of cost, business downtime, chances of forcing businesses to close shop, and several other factors.

Business costs

Individually, the cost of physical disasters is still much larger than those of virtual disasters. For example, hurricanes Katrina and Harvey cost approximately $125 billion each, and the earthquake and tsunami that struck Japan in 2011 (which in turn caused the Fukishima nuclear plant meltdown) cost about $360 billion.

In comparison, here are some of the most expensive cybersecurity attacks in history and their corresponding costs:

MyDoom – $38.7 Billion

SoBig – $37.1 Billion

ILOVEYou – $15 Billion

WannaCry – $4 Billion

Equifax data breach – $4 billion (this was the stock market value it lost a week after the consumer credit reporting agency reported it was hacked)

The most expensive attack is just a little over 10% of the most expensive natural disaster. However, it appears that virtual disasters happen more frequently. Let me elaborate.

Compare that to last year (2017), the global cost of natural disasters was $306 billion. Of course, almost all these major natural disasters cost human lives, so if you factor that in, physical disasters can certainly be more devastating.

However, it’s worth noting that WannaCry and a few other recent ransomware attacks have been targeting hospitals and, in the case of WannaCry, managed to disrupt and hinder several medical procedures. Although not yet nearly as catastrophic as major natural disasters, virtual disasters have now undoubtedly gained the capacity to threaten human lives as well.

To make matters worse, companies who suffer from a data breach can suffer even more losses through regulatory fines. This is in stark contrast to what happens to some businesses after getting hit by a natural disaster – some receive public/government aid.

Business operations

Just as there’s no arguing we’re in the midst of significant climate change and that physical disasters caused by extreme weather events will likely keep getting worse and more frequent, so it is that we’re now in a continually growing cyber age and that our hyper-dependence on interconnectivity, applications, and data will only continue to draw more destructive cybersecurity attacks.

Small businesses downtime

Virtual and physical disasters have a few other similarities. One is that small businesses can suffer multiple days of complete downtime when subjected to either type of event.

Similarly, malware outbreaks, like the ransomware attack that temporarily shut down SF Muni (San Francisco’s public transit) ticket terminals two years ago, can leave affected businesses incomeless for a day or more.

Small business complete closure

Because of their limited resources and because they can be easily overwhelmed by the sheer magnitude of a major disaster (whether virtual or physical), some small businesses might even be forced to close shop permanently. It’s easier to imagine that happening in the aftermath of a catastrophic earthquake, tsunami, or hurricane. But can cybersecurity attacks really do that, too?

It turns out they can, especially if the attack happens to strike a business highly dependent on digital assets. That’s exactly what happened to a small online retailer in the Midwest after 15,000 of its accounting and customer files got encrypted by ransomware. The company didn’t have the affected files backed up, and the decryption key failed to work even after they paid the $50,000 ransom. That company closed shop six months later after sales plunged.

Large enterprise downtime

Large enterprises, on the other hand, are usually more resilient to either type. And because physical disasters are mostly localized, large enterprises (particularly those that operate nationally or globally) are less likely to suffer complete downtime because their offices in other geographical locations can continue to operate.

You can’t say the same thing for cybersecurity attacks, especially with those that involve rapidly propagating malware like WannaCry or Petya. Malware with wormlike properties can spread to virtually any network connected to the currently infected one. Meaning, these types of attacks can still cause company-wide disruptions to large enterprises whose geographically dispersed offices are nevertheless interconnected through an intranet.

A prime example of this is the NHS attack last year, which took down 16 hospitals throughout the U.K., due to WannaCry. To mitigate any further damage, the hospitals shut down all computer systems and cancelled all non-urgent activity – rejecting patients until their systems were brought back online.

Reputational damage

These two types of disasters also differ in the level of reputational damage they bestow on a company. In fact, in some cases, a natural disaster can even inspire customers to rally behind a brand. While the exact opposite happens after a data breach, which usually causes customers to lose confidence in the brand and consequently increase customer churn.

Basic considerations are more clearly defined and constant when you prepare for a physical disaster. Your geographic location alone will already tell you what the threats are. For instance, if you operate in a hurricane zone, then you’ll obviously need to prepare for floods and torrential rains. Or if you’re in in the Ring of Fire, then you likely need to prepare for earthquakes and volcanic eruptions.

Unfortunately, you don’t have that same luxury of being able to identify threats that are most likely to strike when it comes to virtual disasters. Not only are there a variety of cyber threats, these types of threats are also constantly evolving. So, your preventive and recovery plans need to be updated regularly.

Another advantage of preparing for a physical disaster is that it’s much easier to solicit employee cooperation. That’s because they’ve most likely already experienced the impact of the threat sometime in the past. The same doesn’t hold true for virtual disasters, where, even if a cyber threat is already right in front of them (e.g. a phishing email has been detected), employees can still find it hard to fathom its impact.

Multiple locations

The presence of a geographically separate BC/DR site is important in dealing with both physical and virtual disasters. If floods inundate your production site, you can continue to operate if you have a BC/DR site in another location. Similarly, if a DDoS attack or ransomware outbreak cripples your main data center, you might still be able to operate if you have copies of your data and services in a geographically separate DR site.

The human element

A lot of virtual disasters, like malware outbreaks and data leaks, are caused by a user’s poor judgement or careless practices. Because of this human element, many of these virtual disasters can be avoided by arming employees with ample security education and training. You can’t use that strategy against physical disasters. While you can mitigate the impact of a physical disaster (e.g. by doing earthquake or fire drills), you really can’t do anything to prevent it from happening.

Cleanup and remediation

Cleanup and remediation activities following a natural disaster is usually straightforward and well defined. Assuming the disaster doesn’t totally wipe out your business and assuming basic services like power and water are available, you would probably be back in business in a few days.

Cyberattacks, on the other hand, are more complex. First, the attack or data breach might go undetected for 100 days or more. Then, once it does get detected, remediation might take another 60-70 days with traditional security companies (unlike Armor who has an average dwell time of less than a day).

Gone are the days when an organization’s preparation and disaster recovery plans had to focus primarily on natural disasters. Cybersecurity attacks are fast becoming a serious and imminent threat. As such, you should not only factor it into your BC/DR plans but also treat it as one of your top priorities.

Resource Center

More security resources at your fingertips.

Armor is a global cybersecurity software company. We simplify protecting data and applications in private, public, or hybrid clouds as well as help organizations comply with major regulatory frameworks and controls. We know security is complex; it doesn’t have to feel that way.